2024-11-22 –, Ngaio Marsh Theatre
Gone are the days when developers had to craft their own session management systems and rely on CGI calling Perl scripts (hopefully!). Today, programming languages and frameworks offer a wealth of built-in security features—often for free. But what exactly do these features provide, and how can we leverage them to elevate our security code reviews, penetration testing practices, and even compliance efforts?
In this talk, we'll explore the security mechanisms that modern frameworks and languages offer out of the box. We'll dive into how understanding these built-in tools can transform your approach to code review and penetration testing, allowing you to focus on the nuances and deeper issues that could compromise your application’s security. Whether you're a security professional, developer, or compliance officer, this session will equip you with the knowledge to make the most of the features at your disposal and ensure your applications are as secure as possible.
Developers! Developers! Developers! Developers! Developers! Developers!
In this talk, we’ll dive into the evolving landscape of built-in security features provided by modern frameworks and languages. We’ll start with a look at Ruby on Rails, which pioneered many security features such as protection against SQL injection and XSS, and how these innovations set the stage for today’s robust frameworks.
We’ll then explore contemporary frameworks like Django and ASP.Net Core, which offer advanced security features such as automatic password hashing upgrades and extensive built-in protections. We'll demonstrate how these features can enhance your development practices and why they matter.
In addition, we’ll discuss the significance of comprehensive documentation and error-proofing to prevent developers from reinventing the wheel and to streamline focus on critical areas.
We’ll also cover how developers can contribute to this ecosystem, whether by implementing similar practices internally or by contributing to open-source projects to expand the availability of these built-in security features.
Finally, we’ll examine the impact of these built-in features on penetration testing, code reviews, and compliance. By leveraging these features, you can strategically target your efforts on custom code and integrations. Or, by focusing on these widely-used features, you have the opportunity to uncover high-impact vulnerabilities that many developers rely on—making it harder to find issues, but offering significantly higher rewards when you do.
Louis Nyffenegger is a seasoned security engineer and the founder of PentesterLab, a platform dedicated to teaching web penetration testing. With over a decade of experience in cybersecurity, Louis has focused on penetration testing, architecture analysis, and code reviews. He also launched a YouTube channel, AppSecSchool, further extending his passion for education in application security.